El mié, 31-12-2014 a las 13:59 -0500, Brendan Kearney escribió:
> regardless of authentication, client updates to DNS zones are still a
> risk and a rogue app or user can still perform direct updates to zones,
> leading to impersonation/interception of services, denial of service
> attacks and more. endpoints, or their users, should not be trusted to
> make updates to DNS zones. TSIG signed updates from servers are still
> preferred over authenticated updates from endpoints or users.

Advertising

Not really. With the default ipa configuration (grant ZONE.COM krb5-self
* A) the worst that could do the administrator of a workstation, with
access to the host keytab, is point the A record of her workstation to a
wrong address.
Please note that someone able to read the host keytab (root on the
workstation) could simply skip dhcp negotiation and assign to her
workstation any address she likes.
With the default ipa configuration a workstation can only set _its_ A,
AAAA and SSHFP records. No less and no more.
Best regards
--
Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford